IS&T Device Enrollment Program (DEP) for Macs

Apple provides the Device Enrollment Program (DEP) as a way of deploying institute-owned Mac or iOS devices. This process works by technicians providing the serial number of any Mac they would like enrolled into the DEP program to IS&T. IS&T will then upload the serial number to Apple and assign it to the correct Mobile Device Management (MDM) server. Once the computer has been booted, it will automatically receive any policies that have been supplied by the MDM server.

IS&T provides DEP as a service to the MIT community in conjunction with either IS&T's MDM server (Casper) or your department's own MDM server if you have one. If you are interested in our Casper offering, please visit our Casper page for more information. There is no cost associated with either the DEP or Casper service.

Please note machines must be purchased through an official MIT channel for this to work and it must have been purchased after March 2011.

IS&T will also provide training and one-on-one time for both DEP and Casper if requested.

Note:If you choose not to use the DEP method, take a look at this alternate solution using DeployStudio. IS&T Mac Imaging & Tools

Contact Information

DEP Process

EPM team enrolls your Mac into DEP program and confirms your machine is enrolled.

Boot your new or re-imaged Mac (not before above step!)

Go through the Out of Box Experience. You must connect to the wireless SSID "MIT" or be on an already registered dongle.

You will then see a screen that says Configured by MIT. If you do not see this screen, contact the EPM team to double check enrollment.

If you missed the Configured by MIT screen

Run these commands from terminal and then reboot. Your machine will go through the Out Of Box Experience again.

sudo rm -rf /var/db/.AppleSetupDone

sudo rm -rf /var/db/ConfigurationProfiles

sudo rm -rf /Library/Keychains/apsd.keychain

Create an account and log in. The below policies will apply if you are using IS&T Casper.

Software Installs

Sophos

CertAid

Kerberos Extras

Identity Finder

Microsoft Office

Firefox

Acrobat

VLC

Cisco VPN

Crashplan

Dropbox

Apple Software Updates

Configurations

Enable Filevault 2 file encryption

Add dock icons for Office, Firefox, and Crashplan

Enable firewall

Create a local admin account

Change hostname to serial number

Set password policy to minimum 8 characters

Force password change on next login

Configure 802.1x authentication for ethernet

When setup is complete, the computer will shut down, and the user will be prompted to change their password and begin encryption the next time they log in.

You can also set up machines to have additional software/scripts/printers installed through our Casper offering, or your own MDM policies if you have an MDM server.

Removal of machines from DEP

Machines that will be leaving your ownership should be removed from DEP. Send any serial numbers to IS&T for removal. A machine can only be enrolled in DEP once so once removed it can never be added again. Please note this is an Apple limitation that may or may not change in the future.